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A rational secret sharing scheme is a game in which each party responsible for reconstructing a 
secret tries to maximize his utility by obtaining the secret alone. Quantum secret sharing schemes, 
either derived from quantum teleportation or from quantum error correcting code, do not succeed 
when we assume rational participants. This is because all existing quantum secret sharing schemes 
consider that the secret is reconstructed by a party chosen by the dealer. In this paper, for the 
first time, we propose a quantum secret sharing scheme which is resistant to rational parties. The 
proposed scheme is fair (everyone gets the secret), correct and achieves strict Nash equilibrium. 


I. INTRODUCTION AND MOTIVATION 

Secret sharing is an important primitive in cryptog¬ 
raphy. It can be considered as a special case of secure 
multiparty computation [H-I^ which has applications in 
electronic voting, cloud computing, online auction etc. 
Recently, significant effort has been given towards bridg¬ 
ing the gap between two apparently unrelated domains, 
namely, cryptography and game theory M- Cryptog¬ 
raphy deals with the ‘worst case’ scenario making the 
protocols secure against malicious behavior of a party. 
However, in game theoretic perspective, a protocol is de¬ 
signed against the rational deviation of a party. 

In rational domain there is no concept of trust. Ra¬ 
tional players are classified as neither ‘good’ nor ‘bad’. 
They participate in the game with a motivation to maxi¬ 
mize their utility. In cryptography, one may consider this 
as a special type of attack vector. However, this does not 
impose any special condition on adversary, it rather adds 
more flexibility to the adversary. 

In Q it was commented that quantum secret sharing 
can be treated as a game between the legitimate parties. 
Very recently, Brunner and Linden @ showed a deep link 
between quantum physics and game theory. By bring¬ 
ing quantum mechanics into the game, they showed that 
players who can use quantum resources, such as entan¬ 
gled quantum particles, can outperform classical players. 
This is because of the fact that, in classical domain, the 
security depends on some computational hardness and 
thus is conditional. On the other hand, in quantum do¬ 
main, the security comes from the laws of physics and 
thus is unconditional. In this paper, for the first time, 
we introduce the rationality concept of game theory in 
quantum secret sharing. 

A (t, n) or t-out-of-n threshold secret sharing 
scheme 0,i comprises the distribution of shares of a 
secret s among n players Pi,..., , such that at least t 

of these players must communicate their shares to each 
other to reconstruct the secret. An example of such a se¬ 
cret sharing scheme is Shamir’s scheme Q that uses the 


concept of polynomial interpolation for generation and 
distribution of shares of the secret by a dealer and subse¬ 
quent reconstruction of the secret by the players. Players 
that are ‘good’ or ‘honest’ cooperate to reconstruct the 
secret, while players that are ‘bad’ or malicious do not 
cooperate 0. So, for successful reconstruction of the se¬ 
cret, at most (n — t) players can be ‘bad’. 

In classical threshold secret sharing, Halpern and 
Teague Q introduced the concept of rational players. 
Each rational party wishes to learn the secret while allow¬ 
ing as few others as possible to learn the secret. Halpern 
and Teague Q showed that in the presence of rational 
players, Shamir’s scheme fails. Specifically, no rational 
player has the incentive to send his share during secret 
reconstruction. From the viewpoint of each player Pi, 
either {t — 1) other players send their shares or they do 
not. If they send, then Pi, even without sending his own 
share, can reconstruct the secret for himself without al¬ 
lowing these (t — 1) players to reconstruct. If they do 
not send, then none of the players can reconstruct the 
secret. So from each player P^’s point of view, not send¬ 
ing his share weakly dominates sending his share. Thus 
the Nash equilibrium achieved in Shamir’s secret shar¬ 
ing corresponds to the case when nobody sends anything 
to each other. To mitigate this problem, the authors 
of 0 introduced the concept of rational secret sharing 
(RSS). Its application in secure multiparty computation 
is known as rational multi-party computation or RMPC 
and has been an active area of research dMl in recent 
times. 

The idea of quantum secret sharing (QSS) of a single 
qubit was first due to Hillery et al. [I8l| using three and 
four qubit GHZ states. Later, this process was investi¬ 
gated by Karlsson et al. [l^ using three particle entan¬ 
glement, Cleve et al. [Musing a process similar to error 
correction and Zheng using W state. The QSS of 
an arbitrary two-qubit state was proposed by Deng et 
al. using two GHZ states. QSS using cluster states 
was demonstrated by Nie [l^, Panigrahi dJ, and 
Han d3' Recently, two qubit QSS was discussed using 
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arbitrary pure or mixed resource states (2^ and asym¬ 
metric multipartite state [ 2 ^. Note that in t-out-of-n 
QSS, the dealer chooses to reveal the secret to a specific 
subset of t parties and not to any arbitrary subset of t 
parties. 


A. QSS with Rational Adversaries 

In QSS, all the parties are ‘good’ or ‘honest’ as they 
have agreed to reconstruct the secret to the party (or par¬ 
ties) chosen by the dealer. However, if we impose rational 
behavior of the participants in QSS, it is quite natural for 
the last player, who generates the secret, to quit with the 
secret alone. Hence, the other players always prefer not 
to give their shares (either classical bits or quantum bits) 
and hence the traditional QSS scheme fails if the players 
behave rationally. Like classical case, one may consider 
this as a special type of attack vector in quantum se¬ 
cret sharing. In the context of quantum secret sharing, 
it is an important attack vector to consider. However, 
this does not impose any special condition on adversary, 
it rather empowers the adversary with more flexibility. 
In this paper, for the first time, we propose a quantum 
secret sharing scheme that resists this kind of attack vec¬ 
tor and forces the participants to send the shares, though 
they are rational in nature. We call this scheme a quan¬ 
tum rational secret sharing (QRSS) scheme. 

In classical domain, the adversary that controls a 
player may be computationally bounded, but in quan¬ 
tum domain the adversary is always assumed to have 
unbounded computational power. Because of this, we as¬ 
sume a computationally unbounded adversary through¬ 
out the entire paper and modify the security notions in 
this direction. 


B. Security Issues 

In classical RSS protocols, two type of settings are con¬ 
sidered. One is called fail-stop setting and the other is 
known as Byzantine setting. In fail-stop setting, a player 
may abort early in an attempt to obtain the secret alone 
but does not send false shares of the secret. Whereas in 
Byzantine setting, a player can behave arbitrarily, i.e., 
he can abort early or can fabricate a false share. 

For share generation, rational multiparty computation 
exploits the idea of Shamir’s secret sharing, the sec urity 
of which comes from the interpolation theorem [71, l29j. 
Thus, it does not depend on some unproven hypothesis 
on computational hardness. However, in Tompa and 
Woll showed that in Shamir’s scheme, any {t — 1) par¬ 
ticipants can fabricate false shares in the motivation to 
deceive the t-th participant to believe in a legal but in¬ 
correct secret. In other words, Shamir’s basic scheme is 
not secure against Byzantine players. 

One straightforward solution to this problem is to send 
signed shares by the distributor (dealer) to the partici¬ 


pants. Another approach is to use verifiable secret shar¬ 
ing [13 ■ Note that both these approaches are based upon 
unproven assumptions such as the intractability of inte¬ 
ger factorization or the existence of secure encryption 
schemes. 

Interestingly, Tompa and Woll proposed a scheme [ 2 ^ 
that mitigates the hidden problem of cheating in Shamir’s 
secret sharing without any unproven assumption. They 
showed that the probability of undetected cheating can 
be made less than e, for any e > 0, by suitably choosing 
a large prime (that depends on e) as the modulus of the 
underlying field. 

Thus, the security issues of classical RSS can be sub¬ 
divided into the following notions: 1) security of the un¬ 
derlying secret secret sharing, 2) security of a signature 
scheme, 3) security against rational players. The security 
issues of 1 and 2 have been discussed in a number of liter¬ 
atures [ 7 .l^lsill . This is why the works on rational secret 
sharing 91-H^ have concentrated only on the security of 
the rational part, that is formalized in terms of fairness, 
correctness and Nash equilibrium [ll| |. In this paper, we 
follow the same approach in the quantum domain. 

In quantum domain, we impose rationality issues on 
the top of the quantum secret sharing model which ex¬ 
ploits quantum error correcting code. Thus, the secu¬ 
rity of the secret sharing part comes from the security 
of the quantum error correcting code, specifically CSS 
code [ 20 , m, Note that as we exploit the quantum 
error correcting code to encode the secret, no unautho¬ 
rized party can extract any information by subverting 
one or more authorized parties [ 23 , 111. 

Further, the existing RSS literatures [iMl [3® 
deal with various flavours of Nash equilibrium. As we as¬ 
sume computationally unbounded adversary in the quan¬ 
tum domain, we consider strict Nash equilibrium here. 

In classical RSS, the dealer signs each share so that no 
player can give out wrong shares to others. However, in 
the quantum setting the scenario is different. Typically, 
quantum signature schemes consider signing either clas¬ 
sical messages [3J| or quantum message string with inde¬ 
pendent qubits [35| . In these works, there is no concept 
of entanglement among the distributed shares, whereas 
in our proposed scheme, the shares are entangled. It is 
not yet known how to sign such qubits which contain the 
information of the secret, as any type of measurement 
on that qubits will destroy the entanglement and hence 
the information related to the secret. For this reason, 
we assume that a rational player in the quantum setting 
is fail-stop by nature, i.e., he may abort early towards 
the motivation to get the secret alone, but does not send 
false shares of the secret. 

In quantum domain, it is very natural for a player to 
measure his share as soon as he gets it. However, in this 
work, we encode the secret by CSS code which takes care 
of arbitrary error. Thus measuring his qubit in an arbi¬ 
trary basis gives no advantage to the player. Even with 
unconditional power of computation, the quantum adver¬ 
sary extracts no information about the secret. Moreover, 
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if he measures the share, he will lose the information 
stored in the qubit. Thus no player has any incentive to 
measure his qubit(s) and each player communicates each 
share as it is received from the dealer. 


II. PRELIMINARIES 

In this section, we briefly describe classical rational se¬ 
cret sharing and discuss the concepts of rationality, fair¬ 
ness, correctness and equilibrium used in this work. We 
also extend these concepts in the quantum domain. 

The dealer in a classical rational secret sharing (RSS) 
protocol is honest and can be online or offline. An on¬ 
line dealer remains available throughout the secret re¬ 
construction protocol, whereas an offline dealer becomes 
unavailable after distributing the shares of the secret. 
Note that an online dealer is not very practical as he 
repeatedly interacts with the players and such a dealer 
can directly provide the secret to the players. In 2008, 
Kol and Naor 0 discussed rational secret sharing in the 
non-simultaneous channel model and in the presence of 
an offline dealer, in an information theoretic setting. Al¬ 
most all the subsequent works 0[il,[il[i3 on rational 
secret sharing assumed the dealer to be offline. 

Rational secret sharing proceeds in two phases: I) 
share generation and distribution and 2 ) secret recon¬ 
struction. 

Share generation and distribution: If the dealer is on¬ 
line, then at the beginning of each round, he distributes 
to each player Pi the share of the actual secret with prob¬ 
ability 7 or that of a fake secret with probability (I — 7 ). 
The value of 7 is kept secret from the parties and is de¬ 
pendent on the utility values of the parties din. An 
offline dealer distributes to each party Pi a list of shares, 
one of which is that of the actual secret s and the re¬ 
maining of fake secrets The position r of 

this actual share in the lists is not revealed to the play¬ 
ers and is chosen according to a geometric distribution 
Gil), where the parameter 7 in turn depends on the util¬ 
ity values of players. The dealer generates shares using 
Shamir’s secret sharing scheme. 

Secret Reconstruction: In the jth round of commu¬ 
nication, each player Pi (either simultaneously or non- 
simultaneously) broadcasts or sends individually to each 
of the other players (in presence of synchronous, point- 
to-point channels) the share Sij corresponding to that 
round. The shares are signed by the dealer. Hence, no 
player can give out false shares undetected and the only 
possible action of a player in a round is to either I) send 
the message or 2) remain silent. The round in which 
the shares of the actual secret are revealed and hence 
the secret is reconstructed is called revelation or defini¬ 
tive round. When the dealer is offline, players are made 
aware that they have crossed the revelation round by the 
reconstruction or exchange of an indicator (a bit in 0 , 
a signal in 0). For simultaneous channel model, par¬ 
ties can identify a revelation round as soon as it occurs. 


However, for non-simultaneous channels, the indication is 
delayed till the subsequent round to avoid rushing strat¬ 
egy. In this case, the indicator cannot be reconstructed 
or interpreted by all the players. The player who com¬ 
municates last during the reconstruction of the indicator 
is the first and only one to know that the last round 
was the revelation round. Once he comes to know this, 
he has no incentive to send his share of the indicator to 
the other players for reconstruction. Instead, he simply 
quits. The fact that this player quits signals to the other 
players that the secret has been reconstructed. 

A (t, n) rational secret reconstruction protocol is a 
pair where F is the game (i.e., specification 

of allowable actions) and l 7 ^=(cri,..., (T„) denotes the 
strategies followed by the players. We use the nota¬ 
tions = ((Ti,...,cri_i,crj+I,...,cr„) and (cr', o^_i) = 
(cti, ..., ct', CTi+i,..., CT„). The outcome of the game 
is denoted by ((F, ..., o„). The outcomes 

of a secret reconstruction game F with respect to a party 
Pi are as follows: I) Pi obtains the secret while others do 
not; 2) everybody obtains the secret; 3) nobody obtains 
the secret 4) others obtain the secret while Pi does not 
and 5) others believe in a fake secret while Pi does not. 
The output that no secret is obtained is denoted by T 
and fake secret is denoted by any symbol ^ {s, T}. 


A. Utilities and Preferences 

The utility function Ui of each party Pi is defined over 
the set of possible outcomes of the game. The outcomes 
and corresponding utilities for t = n = 2 are described in 
Table n For classical secret sharing, m is assumed to be 
polynomial in the security parameter k which is typically 
the size of the secret. Thus, = Ui{l^, (oi = s, oj =T 
)), = Ui{l^,{oi = s,Oj = s)) (where i ^ j) and so 

on. 

TABLE I: Outcomes and Utilities for ( 2 , 2 ) rational secret 
reconstruction 


Pi’s outcome P2’s outcome Pi’s Utility P2’s Utility 
(oi)(02)Pi(oi,02) 1/2(01,02) 


Oi=S 

02=S 

ur 

ur 

oi=T 

02 = T 

pNN 

ttNN 

^2 

Oi=S 

02=T 


ur 

oi=T 

11 

(N 

0 

ur 

ur 

oi=T 

02 ^ {s,T} 

pNF 

ur 

01 ^ {s,T} 

02=T 

pFN 

ui'^ 


For quantum domain, the secret is a state |'0) = a |0)-|- 
j3 |1), or in other words, a pair of complex numbers (a, /3). 
Thus, the size of the secret is effectively infinite. Hence, 
the assumption on the utilities as polynomial functions of 
the security parameter has no meaning. Rather, we treat 
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the utilities as real numbers that depend on the output 
values. 

Players have their preferences based on the different 
possible outcomes. In this work, a rational player i is 
assumed to have the following preference: 

7^l : > C/f ^ > C/f 

Some players may have the additional preference 

jjNF > jjTT 

whereas the rest have 

c/f ^ < ur- 

For more than two players, the second superscript V in 
the notation correspond to any of the other players 
(except i itself). 

B. Fairness 

A rational player, being selfish, desires an unfair out¬ 
come, i.e., obtaining the secret alone. Therefore, the ba¬ 
sic aim of rational secret sharing schemes has been to 
achieve fairness. A formal definition of fairness in the 
context of a (2,2) RSS protocol was presented by Asharov 
and Lindell [^. We modify this definition for the (t,n) 
quantum setting as follows: 

Definition 1. (Fairness, adapted from Mn A rational 
secret reconstruction mechanism (F, ~^)t,n is said to be 
completely fair if for every arbitrary alternative strategy 
ct' followed by party Pi, {i G {!,...,n}) the following 
holds: 

Pr[oi{T, {a'i,~^-i)) = s] < Pr[o_*(F, (cr', 0 ^_i)) = s]. 

In the above definition, the subscript —i denotes all 
the players other than i. 

Fairness can be achieved by a suitable randomized re- 
constrnction of the protocol. The exact round in which 
the actual secret is to be revealed is not known to the 
parties. In Theorem [Sj we show that the condition for 
fairness is 

^ur+{i-j)ur <ur- 

UTT _ IJNN 

’ ^ - c/f ^ 

for each i. This is the same condition that is required in 
the classical scenario. 

C. Correctness 

A formal definition of correctness in the context of a 
(2,2) RSS protocol was presented by Asharov and Lin¬ 
dell m- We modify this definition for the {t, n) quantum 
setting as follows: 


Definition 2. (Correctness) A rational secret recon¬ 
struction mechanism (F,”!!^) is said to be correct if for 
every arbitrary alternative strategy followed by party 
Pi, (f G {!,..., n}) the following holds: 

Pr[o-i{r, (cr', 0 ^_,;)) ^ {s,T}] = 0 

In classical rational secret sharing, the condition of 
correctness becomes significant in the non-simultaneous 
channel model. The rational party with preference TZi 
communicating last in any round may quit early in the 
protocol. Since other parties decide whether the revela¬ 
tion round has been reached depending on whether the 
last party has quit, they are easily misled into believing 
in a wrong value of the secret. 

D. Equilibrium 

A rational secret reconstruction protocol should be 
such that no player has any incentive to deviate from this 
protocol. Consequently, Nash equilibrium and its several 
variants have been used as the equilibrium concept in the 
literature of rational secret sharing. A suggested strategy 
of a mechanism (F, 1^) is said to be in Nash equilib¬ 
rium when there is no incentive for a player Pi to deviate 
from the suggested strategy, given that everyone else is 
following this strategy. 

The concept of strict Nash equilibrium becomes useful 
when the payoffs from playing a ‘good’ strategy and a 
‘bad’ strategy are so close that any minor changes in the 
beliefs of players about the strategy others are going to 
adopt may lead each of them to play the ‘bad’ strategy 
M- It is defined as follows: 

Definition 3. (Strict Nash equilibrium) The suggested 
strategy in the mechanism (F, "o^) is a strict Nash equi¬ 
librium if for every Pi and for any strategy a[, we have 

Ur{a[,^-i) < Ui{~^). 

There may exist several strategies which are the same 
as the suggested strategy i for party Pi except for mi¬ 
nor differences such as performing some irrelevant com¬ 
putation or sending different messages after the protocol 
is over. For the sake of proving that a proposed proto¬ 
col is in strict Nash equilibrium, we assume that all such 
strategies are essentially the same and do not constitute 
any deviation. 

III. QUANTUM RATIONAL SECRET SHARING 

In this section we first present a (3,7) quantum rational 
secret sharing (QRSS) protocol and we generalize it to 
the (f, n) setting in the next section. 

We do not exploit the ideas related to teleportation in 
quantum secret sharing. The idea of teleportation does 
not naturally take care of the situation when parties are 
rational. Rather, we use quantum error correcting code. 
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There exist some works [2l|, HI,HI,H3 fo'' building quan¬ 
tum secret sharing schemes using (classical or quantum) 
error correcting codes. However, none of these schemes 
addresses the rationality issue. 

An arbitrary pure singie-qubit quantum state is given 
by IV') = a|0) -|- /3|1) with |ap -|- |/3p = 1, where 
a, /3 S C. Quantum error correction scheme known as 
CSS code [3^, can be constructed from classical error 
correcting code. Let C and Ci be two classical linear 
codes such that {0} C Ci C C C F 2 with the generator 
matrices 


/l 0 0 0 0 1 l\ 

0 10 0 10 1 

0 0 10 110 

yo 0 0 1 1 1 1/ 


Gi 


^0 0 0 1 1 1 l\ 
0 110 0 11 
i^l 0 1 0 1 0 1/ 


From the above expression it is clear that Ci is the dual 
code of C. A quantum CSS code can be constructed 
from these two linear codes with code words |0)^ and 
|1)^. A pure single quantum state can be encoded with 
this code by attaching an ancilla state |0) and applying 
the CNOT gate. After inserting the ancilla state we get 
a |00) -I- (3 |10) which is converted to a |00) -I- (3 |11) after 
the application of the CNOT gate. |00) can be encoded 
by the above CSS code as \1) ^ and |11) can be encoded 
as |0)^. Thus the entire state is encoded as 


llllllll) -k 11010010) -k 11100100) -k llOOlOOl) 

V 8 

-k 10000111) -k 10101010) -k 10011100) -k 10110001)] 
-k/3[10000000) -k jOlOllOl) -k jOOllOll) -k jOllOllO) 
-k jllllOOO) -k jlOlOlOl) -k jllOOOll) -k jlOOlllO)]]. 


In light of the above discussion, let us now explain 
our exact proposal and its importance. Here, we assume 
the secret as a single qubit a |0) -k /3 |1). We encode the 
secret with the above CSS code. Thus the secret is now 
split into seven qubits. The dealer distributes these seven 
qubits among seven parties. We now write the secret as 

^[jllll) [a jlll) -k P jOOO)] -k jlOlO) [a jOlO) -k P jlOl)] 

-k jllOO) [a jlOO) -k /3 jOll)] -k jlOOl) [a jOOl) -k (3 jllO)] 

-k jOOOO) [a jlll) -k P jOOO)] -k jOlOl) [a jOlO) -k P jlOl)] 

-k jOOll) [a jlOO) -k P jOll)] -k jOllO) [a jOOl)] -k P jllO)]]. 


Applying CNOT gate on last three qubits, we obtain 

^[jllll) [a |1) + P |0)] jOO) + jlOlO) [a |0) + /3 |1)] jlO) 

+ jllOO) [a |1) + P |0)] 111) + jlOOl) [a |0) +P\1)] jOl) 

+ jOOOO) [a |1) + P |0)] jOO) + jOlOl) [a |0) + /3 |1)] jlO) 

+ jOOll) [a |1) + P |0)] 111) + 10110) [a |0)] + /3 |1)] |01)]. 


Thus if last three parties collaborate, then one can re¬ 
construct the secret by measuring the last two qubits in 
{00,01,10,11} basis. If a party gets |00) or |11), he has 
to apply X gate to obtain the secret. If a party gets 
|01) or |10), he has to apply I gate to construct the se¬ 
cret. Close observation reveals that there are only seven 
combinations of three parties for which secret can be re¬ 
constructed. Denoting the position of the participants 
by integer values, we can write those combinations as 
^={(5,6,7), (1,2,5), (2,4,6), (1,3,6), (1,4,7), (2,3,7), 
(3,4, 7)}. The set A is called the access structure of the 
secret sharing scheme. 


A. (3,7) Quantum Rational Secret Sharing 
Protocol 

In classical rational secret sharing, an indicator is dis¬ 
tributed along the shares of each secret to each party. 
The parties reconstruct the indicator and comes to know 
about the revelation round. However, in quantum do¬ 
main, including an indicator is costly. We solve this prob¬ 
lem by assuming that the dealer is semi-offline. In other 
words, the dealer interacts with the participants twice, 1) 
at the time of the share distribution, and 2) at the time 
when the game is over. In Section El we discuss how to 
make the dealer offline. Like the classical RSS protocols, 
our dealer is assumed to be honest. 

In classical simultaneous broadcasting channel, each 
party is supposed to broadcast his share in each round. 
So, in each round, each party obtains (t — 1) shares from 
others and thus reconstructs the secret. In the point-to- 
point channel model, instead of broadcasting his share, 
each party in each round individually communicates his 
share to every other party. This means that each party 
prepares t copies of his or her share and distributes (t — I) 
shares among (t — 1 ) parties retaining one share for him¬ 
self. In quantum domain, due to the no cloning the¬ 
orem (40l |. a player cannot generate copies of his share. 
However, the dealer can prepare as many copies of the se¬ 
cret as required as he knows the secret. We exploit this 
idea to form our protocol. The communication in the 
quantum setting is similar to the communication in the 
point-to-point channel model. Unlike classical RSS, each 
round is further sub divided into sub-rounds. In the fth 
sub-round of a round j the participant Pi is given the cur¬ 
rent shares (qubits) by the remaining players. For exam¬ 
ple, in (3, 7) quantum rational secret sharing, in the first 
sub-round P 2 and P 3 give their current shares (qubits) to 
Pi. In the second sub-round Pi and P 3 give their current 
shares to P 2 ■ In the third sub-round Pi and P 2 give their 
current shares to P3. 

We assume that the players are of fail-stop nature. 
This means that they do not send wrong shares. In 
each round, a player has just two strategies, either to 
send his share or to remain silent. Remaining silent 
is equivalent to quit the game. Throughout the paper 
whereas we use the word “quit”, we want to mean 
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that the player remains silent from the very sub-round 
of a round. The dealer is assumed to be honest. We 
describe our protocol below. Without loss 

of generality, we assume that the dealer wishes to 
reveal the secret to the parties receiving qubits 5, 6 and 
7 and we label them as players Pi , P 2 and P 3 respectively. 

[1. Protocol TT^^gg] 

1.1 The Dealer’s Protocol iTs'LreGen- 

Input. The quantum secret to be shared using (3, 7) 
threshold secret sharing. 

1.1.1 Share Generation: The dealer does the 
following: 

• Chooses the r according to a geometric distribution 
G{'y) with parameter 7 . 

• Generates three copies of each secret (fake as well 
as actual) for each round and encodes those in CSS 
code discussed above. 

• Prepares a list listi of shares for each party Pi such 
that: 

— Qubits (5, 6 , 7) of each secret are given to play¬ 
ers Pi, P 2 , and P 3 respectively so that each 
party gets three qubits, i.e. Pi possesses three 
of 5, P 2 has three of 6 and P 3 possesses three 
of 7 for each round. 

— Each list contains 3(r -f w) shares, where w is 
also chosen according to G{j)- 

Output. The dealer distributes listi to party Pi. 

1 . 1.2 Unmasking of Revelation Round T^jjnmask • 
Input. Signal sigi from each player Pi, {i G 1,2,3). 
Computation and Communication. The dealer 
does the following: 

• If sigi = sig 2 = sig^ = 1, announces the value of r 
to each Pi. 

• If for at least one value of i, sigi 7 ^ 1, aborts after 
announcing abort to each party Pi. 

Output. The dealer outputs either r or abort depending 
on the values of sigi. 

1.2 The Player’s Protocol 
Input. The list of shares listi. 

1 . 2.1 Secret Reconstruction Tr^gcon- 
Computation and Communication. Each player Pi 
does the following: 

• In the ith sub-round of a round j, Pi is given the 
current shares (qubits) by other two parties. 

• Checks to see if the number of shares received is 
less than two. If yes, aborts and sends sigi = 0 to 
dealer. Else, continues. 


• At the end of round j, does the following: 

— Applies CNOT gate considering his current 
share (qubit) as control. 

— Measures target bits in {00,01,10,11} basis. 

— Depending on the measured value operates ei¬ 
ther X gate or / gate. 

• Stores the secret sj obtained in the }th round. 

• If } = ^\listi\, sends sigi = 1 to the dealer. If the 
dealer sends abort, then aborts; else if the dealer 
sends the value of r stores only Sr and quits. If 
j < ^\listi\, continues. 

Output. The quantum secret s^. 

IV. GENERALIZATION TO {t, n) QUANTUM 
RATIONAL SECRET SHARING 

Before going to the {t, n) quantum rational secret shar¬ 
ing, first we show an existential result. 

Theorem 1. Let C = [n, k, d] and Ci = [n,k — 1, d'] be 
two linear codes such that Ci C C. Given C ■ Cj = 0, 
there is always a secret sharing scheme provided k is a 
power of 2. 

Proof. From the definition it is clear that we always con¬ 
struct a CSS code from given C and Ci with codewords 
|0)^ and |1)^. Let the secret be a |0) -I-/3 |1). Let us take 
the tensor product of the secret and (m — 1) number of 
the ancilla states, where m is any integer value. The final 
state becomes a IO 1 O 2 ... Om) + P II 1 O 2 ... Om). 

Applying CNOT gate we obtain a|0i02...0m) + 
/3 II 1 I 2 ... Im)- |0i02...0m) can be written in matrix 
form by a 2™ binary vector, (100...00). Similarly 
II 1 I 2 ... Im) can be represented by a 2”^ binary vector, 
(000...01). In secret sharing scheme |0i02...0m) and 
II 1 I 2 ... Im) are message states. Thus fc = 2"^ or m = 
log 2 k. As m is an integer, k should be power of 2. The 
encoded secret in CSS code becomes a |1)^ -|- /3 |0)^. □ 

The next result gives a bound on the number of parties 
that can reconstruct the secret. 

Theorem 2. Let C = \n, k, d] and Ci = [n,k — 1, d'] be 
two linear codes such that Ci C C. Given C ■ Cf = 0, 
there are minimum d number of parties who can recon¬ 
struct the secret. 

Proof. According to the definition of the CSS 
code, |0)^ = li^ExecJ^ + Ci) and |1)^ = 

I* * + ^i)- Thus, the codewords which 
consist the codeword |0)^ belong to Ci. On the other 
hand, the codewords consisting the codeword |1)^ belong 
to CjCi. So we always get two orthogonal codewords 
which come from two different cosets. One codeword 
is associated with a and other codeword is associated 
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with /3. Let they be u and v. Since dist(u — v) > d, 
if we apply CNOT gate on these d bits considering the 
first bit as control, we get {d — 1) target bits which 
are equal in both the codewords. So measuring those 
{d — 1 ) qubits in { 0 , basis we can reconstruct 

the secret depending on the measurement result. Thus, 
for secret reconstruction minimum d parties have to 
collaborate. □ 

Note that since Ci C C, we must have d' > d. For 
(t, n) QRSS, we set t = d. 


A. t-out-of-n Quantum Rational Secret Sharing 
Protocol 

Let us now present our generalized scheme. 

[2. Protocol TT^flgg] 

2.1 The Dealer’s Protocol 4’LreGen = 

Input. The quantum secret to be shared using (t, n) 
threshold secret sharing. 

2.1.1 Share Generation: The dealer does the follow¬ 
ing: 

• The dealer designates t players among n, from the 
access structure. 

• Chooses the r according to a geometric distribution 
G(j) with parameter 7. 

• Generates t copies of each secret (fake as well as 
actual) for each round and encodes those in CSS 
code derived from C and Ci (see lTheorem 21) . 

• Prepares a list listi of shares for each party Pi such 
that: 

— Each player Pi is given a qubit from a valid 
set of t qubits from the access structure like 
(3,7) QRSS. 

— Each list contains t(r -|- w) shares, where w is 
also chosen according to G{'y). 

Output. The dealer distributes listi to party Pi. 

2.1.2 Unmasking of Revelation Round T^y^rnask ■ 
Input. Signal sigi from each player Pi, {i G 1,..., t). 
Computation and Communication. The dealer 
does the following: 

• If sigi = 1 for all i G 1,... ,t, announces the value 
of r to each Pi. 

• If for at least one value of i, sigi 1, aborts after 
announcing abort to each party Pi- 

Output. The dealer outputs either r or abort depending 
on the values of sigi. 

2.2 The Player’s Protocol 


Input. The list of shares listi. 

2.2.1 Secret Reconstruction 
Each player Pi does the following: 

• In the ith sub-round of a round j, Pi is given the 
current shares (qubits) by other (t — 1 ) players. 

• Checks to see if the number of shares received is 
less than {t — 1). If yes, aborts and sends sigi = 0 
to dealer. Else, continues. 

• At the end of round j, does the following: 

— Applies CNOT gate considering his current 
share (qubit) as control. 

— Measures target bits in {0,1}^* *“^) basis. 

— Depending on the measured value operates ei¬ 
ther X gate or / gate. 

• Stores the secret sj obtained in the jth round. 

• If J = j\listi\, sends sigi = 1 to the dealer. If the 
dealer sends abort, then aborts; else if the dealer 
sends the value of r stores only Sr and quits. If 
j < j\listi\, continues. 

Output. The quantum secret Sr. 

In the next result, we show that the fairness condition 
for classical domain remains valid in the quantum domain 
as well. 

Theorem 3. //y > 0 and Uf”^ > + (1 ~, 

the protocol '^Qjigg achieves fairness. 

Proof. A player who wants to obtain the secret alone 
must be able to correctly guess which round is the rev¬ 
elation round. Suppose the Ah player guesses that the 
jth round is the revelation round and quits in the Ah 
sub-round of the jth round. On other words, the player 
remains silent from the {i -I- l)th sub-round of jth round. 
Our protocol is designed in such a way that if any player 
quits in any intermediate round, then it is reported to 
the dealer by a signal bit {sig). If for at least one value 
of i, sigi ^ 1, the dealer aborts after announcing abort 
to each party Pi.Thus, if the guess of the Ah player is 
correct i.e j = r,the probability of which is 7 , his utility 
is , else his utility is . So the expected utility 
of the player who decides to deviate based on his guess is 
given by + (1 ~ ■ On the other hand, if he 

simply followed the protocol, his utility would have been 
. However, the dealer chooses the value 7 in such a 
way so that 

+[i-^)ur <ur- 

Thus the player should have no incentive to deviate. He 
always gives his share and hence the protocol achieves 
fairness. □ 

The next result establishes the correctness of our gen¬ 
eral scheme. 





Theorem 4. Even if some players may have > 

, the protocol t^qiiss achieves correctness. 

Proof. In our protocol, the dealer is semi-offline. The 
revelation round is unmasked by him after all the play¬ 
ers report that the reconstruction game is over. There¬ 
fore, players do not depend on the action of the last 
player to know which round is the revelation round (see 
Isection II Cp . Thus, the protocol is independent. 

No player has any incentive to quit in an intermediate 
round in the purpose to make the others believe in a fake 
secret as actual secret. Hence the protocol is correct. □ 


Note that in [Hi, it is mentioned that for non- 
simultaneous channel model, independence is im¬ 

possible. But there the underlying assumption is that 
the dealer is offline. Since in our QRSS, the dealer is 
semi-offline, we can easily get independence even 

in non-simultaneous channel. 

Now, we can state the following result on equilibrium. 


Theorem 5. //y > 0 and + (1 ~ l)Ui^^, 

then protocol t^q^ss achieves strict Nash equilibrium. 

Proof. Let us assume that a party Pi follows the deviating 
strategy o', when all other parties follow the protocol. 
Suppose Pi aborts at round j and the revelation round is 
r. Then either j is itself the revelation round, i.e., r = j 
or it is a round before the revelation round, i.e. r > j. In 
our case, the secret reconstruction game is played until 
each party exhausts his list of shares. After that the 
dealer points out the revelation round. Hence, there is 
a possibility that Pi deviates after the revelation round, 
i.e., r < j although such deviation is not helpful in any 
way to the deviating party. We assume that the correct 
secret can be obtained by a player only when he quits 
in the revelation round. From the property of geometric 
distribution, we have 

7 = Prb = r\j <r] = and 

1 - 7 = Pr[j < r\j <r] = 

Then, Ui{al,~^-i) is given by 


C/f ^ Pr[j =r] + t/f ^ Pr[j < r] -h C/f ^ Pr[j > r] 
= jUr Pr[j < r] + (1 - ^)Ur Pr[j < r] 

+1/^(1 - Pr[j < r]) 

= {jur + (1 - l)ur - UD Pr[j < r] + Ur 

< ur. 


The last inequality follows from our assumption that 
jUr + (1 ~ l)Ui^^ < ur, which makes the term 
added to Ur negative. In each sub-round, a player can 
send only a unique share (namely, the correct share) as 
we have Ui{a[r-% ) < UiiT)- So, our protocol follows 
strict Nash equilibrium. □ 


Katz [I^ showed a general (t, n) rational secret sharing 
that works for n = t = 2 , thus refuting the claim of [^. 
Our (t, n) quantum rational secret sharing scheme also 
works for t = 2. In that case, we require [n, k, 2] linear 
code to construct the CSS code. In principle, (2,n) QSS 
is the quantum analogue of ( 2 , 2 ) classical secret sharing, 
since in the quantum domain the dealer designates, from 
the access structures, a specific subset of 2 players (out 
of n) except whom no one else can obtain the secret. 


V. OFFLINE DEALER FOR QRSS 


In this section, we propose a (t, n) quantum rational 
secret sharing scheme with the dealer offline, i.e., after 
distributing the shares, the dealer does not come into 
the picture. 

Considering the dealer as semi-offline, we have shown 
that our protocol tTrsb becomes independent and 
hence correct. In [Q, it is shown that in case of offline 
dealer and non-simultaneous channel model, the protocol 
becomes dependent. Hence, achieving correctness 

is not guaranteed, when the preferences of the players are 
defined by TZi. Thus, in case of offline dealer, to achieve 
correctness (which we show later), we suitably redefine 
the preferences of the players as follows: 

7 ^ 2 : ur > ur > ur > ur, 

and 

ur < ur 

for all players i. Note that we have to restrict the utilities 
so that no player can have Ur ^ Ur ■ 

In our protocol tTiissdo below, we use a Boolean 
indicator variable b associated with each round. The 
secret bit b is distributed among the designated t parties 
through a {t, t) Shamir secret sharing to denote whether 
the previous round was revelation round (b = 1) or not 
(6 = 0). Later, we discuss how to move from classical 
indicator to quantum indicator. 

[3. Protocol T^QiissDo\ 

3.1 The Dealer’s Protocol riareGeu- 

Input. The quantum secret to be shared using (t,n) 
threshold secret sharing. 

3.1.1 Share Generation: The dealer does the 
following: 

• Sets t = d and designates t players among n. 

• Chooses the r according to a geometric distribution 
or with parameter 7 . 


In the classical rational secret sharing domain, Halpern 
and Teague @ claimed that (2,2) rational secret shar¬ 
ing scheme cannot be constructed. Later, Gordon and 


• Generates t copies of each secret (fake as well as 
actual) for each round and encodes those in GSS 
code derived from C and Ci Isee lTheorem 21) . 
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• Prepares a list listi of shares for each party Pi such 
that: 

— Each element ek,i in the list listi consists of 
two parts: a qubit from a valid set of t qubits 
from the access structure as in (3, 7) QRSS 
and a {t, t) Shamir share of a Boolean value 
indicating whether the previous round was the 
revelation round. 

— Each list contains k = t{r + w) shares, where 
w is also chosen according to ^(y). 

3.2 The Player’s Protocol 
Input. The list of shares listi. 

3.2.1 Secret Reconstruction Tr^g^on' 

Each player Pi does the following: 

• In the ith sub-round of a round j, Pi is given the 
current element (one qubit and one classical bit) in 
the lists by other {t — 1) players. 

• If the number of elements received is less than (t — 
1) or if a partial element has been received then 
aborts. Else, continues. 

• At the sub-round i of round j, does the following: 

— Stores the qubits obtained from the (t — 1) 
parties. 

— Reconstruct the Boolean value b associated 
with that round. 

- If 6 = I, 

* Set r = (j — I). 

* Applies CNOT gate considering his (j — 
l)th share (qubit) as control. 

* Measures target bits in {0,basis. 

* Depending on the measured value oper¬ 
ates either X gate or I gate. 

* Stores the quantum secret Sr obtained in 
the {j — l)th round. 

Else, continues. 

Output. The quantum secret Sr- 

We can make the above protocol fully quantum by 
replacing the indicator bits 0 and I by qubits |0) and |I) 
respectively. However, instead of Shamir’s (t, t) share, 
|0) and |1) are encoded by CSS code just like the secret 
state s. The dealer distributes the list (listi) to each 
player Pi, containing two qubits, first one for the secret 
and the second one for the round. In each sub-round i 
of a round j, player Pi reconstructs the qubit associated 
with that round. If it is |1), the player comes to know 
that the (j — I)th round was the revelation round. He 
reconstructs the secret for the (j — l)th round and 
discards other qubits obtained in the previous rounds. 

Note that unlike the protocol for semi-offline dealer, 
the game will be over when the first player gets 1 (in 


classical) or |I) (in quantum). He has no incentive to 
send his shares in subsequent sub-rounds. He then just 
quits the game. The rest of the players then conclude 
that the revelation round has been occurred just before 
that round. Thus they also get the secret by operating 
CNOT gate and measuring the target bits for the last 
complete round. 

Unlike semi-offline dealer, in this case the players need 
not to reconstruct the secret qubits for each round. In¬ 
stead, they reconstruct the secret only for the revelation 
round. Moreover, the players are not forced to exhaust 
their lists of shares. The revelation round is the last 
round in this protocol as after the revelation round the 
players have no incentive to continue the game. The pro¬ 
tocol is fair, correct and achieves strict Nash equilibrium. 

Theorem 6. //y > 0 and + (1 ~, 

the protocol t^q^ssdo o.chieves fairness. 

The proof is the same as ITheorem 31 

Theorem 7. Provided the protocol 

'’^QRSSDO O'Chieves correctness. 

Proof. As , no player has any incentive to 

mislead others to believe in a wrong secret as an actual 
secret when he himself does not get the real secret. Thus 
the protocol is correct. □ 

We show strict Nash equilibrium in the next result. 

Theorem 8. //y > 0 and > jU™ + (1 — , 

then protocol t^q^ssoo o,chieves strict Nash equilibrium. 

Proof. Let us assume that a party Pi follows the deviating 
strategy cr', when all other parties follow the protocol. 
Suppose Pi aborts at round j and the revelation round is 
r. Then either j is itself the revelation round, i.e., r = j 
or it is a round before the revelation round, i.e., r > j. 
We assume that the correct secret can be obtained by a 
player only when he quits in the revelation round. From 
the property of geometric distribution, we have 
y = Pr[j = r\j < r] = and 

1 - y = Pr[j < r\j <r] = 

Then, Ui(a[,~^-i) is given by 

Pr[j = r] -h Pr[j < r] 

= yU™ Pr[j < r] + (1 - y)C/f ^ Pr[j < r] 

= (yU™ + (l-y)[/f^)Pr[j<r] 

< ur- 

The last inequality follows from our assumption that 
+ (1 — < Uf^. In each sub-round, a player 

can send only a unique share (namely, the correct share) 
as we have Ui(cr', -i) < Uiifa). So, our protocol follows 
strict Nash equilibrium. □ 

Note that the proof in this case is a bit different from 
the proof in Theorem because the case r < j does not 
occur here. 
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VI. CONCLUSION AND FUTURE WORK 

Quantum secret sharing schemes either derived from 
QECC or teleportation do not succeed when we assume 
rational players. In this paper, for the first time we pro¬ 
pose a new quantum rational secret sharing schemes that 
is fair, correct and achieves strict Nash equilibrium. Un¬ 
der this scheme, we propose two protocols, one with semi¬ 
offline dealer and the other with offline dealer. Semi¬ 
offline dealer appears twice 1) at the time of the share 
distribution, 2) at the end of the game. In the second 
protocol, we make the dealer offline by giving the players 
auxiliary information related to the revelation round. 

The only disadvantage of the protocols is that they re¬ 


quire quantum memory. Also, quantum no cloning the¬ 
orem resists the players to copy their shares. So 
we let the dealer can prepare the copies of the secret as 
he knows the secret. Removing the requirement of the 
quantum memory is an interesting open problem. 

In the classical rational secret sharing schemes, there 
are other notions of Nash equilibrium, such as computa¬ 
tional Nash equilibrium under different adversarial mod¬ 
els [il,[il,[i3)lill- Due to CSS code structure, no cloning 
and infinite range of the secret, the scenario is completely 
different in quantum setting and hence we consider only 
strict Nash equilibrium. Extended analysis of our pro¬ 
tocol or its variants for alternative equilibrium models 
could be another potential future work. 
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